10Fold – Security Never Sleeps – 36

Your daily digest of “All Things Security” gathered, collected and researched by your very own 10Fold Security Practice team.

Big items to consider: Israel’s Electricity Authority experienced a serious hack attack that officials are still working to repel- though they have identified the virus and the software to neutralize it. A security breach discovered at software Juniper Networks has U.S. Officials worried that foreign hackers have been reading the encrypted communications of U.S. Government agencies for the past three years. Independent security researcher Michael Stepankin has reported a since-patched remote code execution hole in Paypal that could have allowed attackers to hijack production systems. The FBI discussed one if its top attacks based in the UK which offered a terse defense of those sometimes-controversial tactics and described how innocents on the Tor anonymizing network were protected from digital exploits with a human “wall” that sifted hacked data before it landed in the hands of investigators.

Israel’s electric authority hit by “severe” hack attack Publication: ARS Technica Reporter name: Dan Goodin

Israel’s Electricity Authority experienced a serious hack attack that officials are still working to repel, the country’s energy minister said Tuesday. The virus was already identified and the right software was already prepared to neutralize it according to the Israeli Energy Minister, Yuval Steinitz- but the computer systems of the Israeli Electricity Authority are still not working as they should. There’s no indication Israel’s power grid was attacked, though the attack followed five weeks after Ukraine’s power grid was disrupted in what is believed to be the world’s first known hacker power outage.


The Data Breach You Haven’t Heard About Publication: The Wall Street Journal Reporter name: Will Hurd

A security breach recently discovered at software Juniper Networks has U.S. Officials worried that foreign hackers have been reading the encrypted communications of U.S.government agencies for the past three years. On Dec. 17 the California-based Juniper Networks announced that an unauthorized backdoor had been placed in its ScreenOS software, and a breach was possible since 2013. This allowed an outside actor to monitor network traffic, potentially decrypt information, and even take control of firewalls. Days later the company provided its clients—which include various U.S. intelligence entities—with an “emergency security patch” to close the backdoor. The federal government has yet to determine which agencies are using the affected software or if any agencies have used the patch to close the backdoor.


PayPal is the latest victim of Java deserialization bugs in the Web apps Publication: PC World Reporter name: Lucian Constantin

PayPal has fixed a serious vulnerability in its back-end management system that could have allowed attackers to execute arbitrary commands on the server and potentially install a backdoor. Independent security researcher Michael Stepankin has reported a since-patched remote code execution hole in Paypal that could have allowed attackers to hijack production systems. The critical vulnerability affecting manager.paypal.com revealed overnight was reported December 13th and patched soon after disclosure. After determining that the PayPal site was vulnerable to Java deserialization, Stepankin was able to exploit the flaw in order to execute arbitrary commands on its underlying Web server. After he reported the issue to PayPal and it got fixed, the company gave him a reward through its bug bounty program, even though his report was marked as a duplicate.


FBI: A ‘Human Wall’ Protects Innocents From Our Hacking Exploits Publication: Forbes Reporter name: Thomas Fox-Brewster

The FBI doesn’t often publicly discuss its use of Network Investigative Techniques, a catch-all term for digital attacks on suspect computers. But one of its top attaches based in the UK offered FORBES a terse defense of those sometimes-controversial tactics and described how innocents were protected from digital exploits with a human “wall” that sifted hacked data before it landed in the hands of investigators. TorMail was compromised by law enforcement back in 2013 and used to hack customers suspected of involvement in child abuse, according to a Washington Post report. Investigator Michael Driscoll explained to FORBES that, the “wall” was predominantly human, one consisting of people trained to determine what data could be used in an investigation. As the FBI continues to test the waters with fresh hacking techniques, it can expect more of those questions about its activities.